A glut of iOS 0-days pushes their price below cost of those for Android

For the first time ever, the security exploit broker Zerodium is paying a higher price for zero-day attacks that target Android than it pays for comparable attacks targeting iOS.

An updated price list published Tuesday shows Zerodium will now pay $2.5 million apiece for “full chain (Zero-Click) with persistence” Android zero-days compared with $2 million for iOS zero-days that meet the same criteria. The previous program overview offered $2 million for unpublished iOS exploits but made no reference at all to the exploits for Android. Zerodium founder and CEO Chaouki Bekrar told Ars the broker paid on a “case by case basis depending on the chain” for Android exploits.

“Flooded by iOS exploits”

Bekrar told Ars the move was prompted by a glut of working iOS exploit chains that has coincided with the growing difficulty of finding comparable exploits for versions 8 and 9 of Android. In a message, Bekrar wrote:

During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some [of] them.

On the other hand, Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction.

In accordance with these new technical challenges related to Android security and our observations of market trends, we believe that time has come to allocate the highest bounties to Android exploits until Apple re-improves the security of iOS and strengthens its weakest parts which are iMessage and Safari (Webkit and sandbox).

Modern operating systems contain a variety of security protections that typically require attackers to combine two or more exploits in an attack chain, with each link tackling a different application or defense. Zero-click exploits are those that don’t require any interaction at all on the part of the end user. An exploit that arrives in a text message and allows the attacker to take control of a device is an example. A one-click exploit, by contrast, requires the end user to take minimal action, such as visiting a booby-trapped website.

Wakeup call

The price change comes four days after researchers from Google’s Project Zero reported that users of fully patched versions of iOS were vulnerable to iOS zero-days that were exploited in the wild for more than two years. Attacks against 14 separate vulnerabilities were packaged into five separate exploit chains that gave the attackers the ability to compromise up-to-date devices.

The attacks were waged from a small collection of hacked websites that used the exploits to indiscriminately attack every iOS device that visited. Attackers used the exploits to install malware that stole photos, emails, log-in credentials, live location data, and more from iPhones and iPads. Project Zero researchers didn’t identify any of the websites that hosted the exploits. On Monday, researchers from security firm Volexity identified 11 websites serving Uyghur and East Turkistan visitors that likely served the iOS exploits. The Volexity post said one of the sites also appeared to exploit an Android vulnerability that stopped working in 2017 with the release of Chrome 60.

The Project Zero report that websites openly and indiscriminately exploited iOS zero-days for more than two years challenged many of the conventional assumptions some security researchers made about security on the Apple mobile OS. Previously, many assumed zero-click or one-click attack chains that worked against the latest version of iOS were so costly and rare that they were used sparingly. The haphazard way the exploits were used on the sites discovered by Project Zero suggested unpublished iOS attacks were plentiful, despite the considerable expertise needed to develop them.

“The latest set of zero-days affecting Apple’s platform announced by Google’s Project Zero were a bit of a wakeup call shattering our views on the iOS ecosystem and its security,” Jérôme Segura, director of threat intelligence at antivirus provider Malwarebytes, told Ars. “While it’s true that Apple controls the hardware and that OS updates are adopted quickly, we are seeing evidence that determined attackers are able to bypass iOS security mechanisms more than in the past.”

Zerodium’s update said the $2.5 million price applied to Android versions 8 and 9. The update made no reference to Android 10, which was released on Tuesday, but Bekrar told Ars that that version is covered as well. While Zerodium is paying $2.5 million and $2 million for zero-click exploit chains for Android and iOS, respectively, top price for comparable exploits targeting desktop OSes tops out at $1 million.

“Mobile users should not be worried as the overall security of mobile devices is nowadays much better than any laptop or computer,” Bekrar said.